SQL Server – Can TDE Be Used as an Anti-Injection Technique?

encryptionsql serversql-injectiontransparent-data-encryption

TDE prevent unauthorized access to the data by restoring the files to another server, because it requires the original encryption certificate and master key.

If i applied a table level encryption using TDE to my database, and am accessing the database from my windows application, through proper authentication. Consider that an intruder is trying some injection technique, my question is that whether he receives the original data or the encrypted one? or can we use TDE as an anti-injection technique?
The query from my application may looks like:

Dim myQuery="Select * from myTable where some_id='" & txtUserId.Text & "'

so that they can inject sql by giving the text like sameValue' or 1=1 or ' will give the whole data. in this case whether he get the encrypted data or be the actual data

Note: i don't use such queries in my application, am using parameterized query and sp throughout my application. asking this for just clarification.

Best Answer

The attacker will get the data unencrypted.

The T in TDE stands for "transparent". The user will never see encrypted data. The database transparently decrypts it when it is read from disk and transparently encrypts it when writing to disk. If your application is insecure, TDE doesn't help you plug those application security holes. You need to fix those in the application (so use bind variables!)

Related Solutions

SQL Server – Restore Database with Encrypted Column Without Overwriting Service Master Key

Server1 running SQL Server 2012 with Service Master Key A, db1 with Database Master Key 1, symmetric key and certificate available.

I assume that the db1 master key is encrypted with the SMK. This makes everything encrypted by the database master key 'available' to applications, w/o having to explicitly open the database master key.

What you need to do is to restore the database, open the database master key using the DBMK password and then add the Server 2 SMK encryption to the DBMK:

RESTORE DATABESE ... FROM ...;
USE ...;
OPEN MASTER KEY DECRYPTION BY PASSWORD = ...;
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY;

Moving TDE Database to New SQL Server – Certificate Problems

You will need to create a master key on the new server - if it does not exit already.

USE MASTER;
GO
if not exists (select 1 from sys.symmetric_keys where name = '##MS_DatabaseMasterKey##')
 CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Strong_Password';

Then you have to restore your certificate:

CREATE CERTIFICATE serverCert  FROM FILE = 'C:\cert_Backups\servercert.cer'     
WITH PRIVATE KEY (FILE = 'C:\cert_Backups\servercert.key'
    ,DECRYPTION BY PASSWORD = 'strong_Passw0rD')
GO

But for this to work you will have to make sure that you made a backup of the original certificate with the private key.

Backup certificate ServerCert 
 to file = 'C:\cert_Backups\servercert.cer'
 with private key (file = 'C:\cert_Backups\servercert.key',
 encryption By Password = 'strong_Passw0rD')
GO

If you only have a cer file and not a key you will need to backup your certificate again

Best Answer

Related Solutions

SQL Server – Restore Database with Encrypted Column Without Overwriting Service Master Key

Moving TDE Database to New SQL Server – Certificate Problems

Related Question